Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request introduces a significant enhancement to our netfilter functionality, addressing the problem of incorrectly configured devices which could lock out entire company branches. To mitigate this issue and enhance our network security posture, the following changes have been implemented:
Netfilter Modifications: The netfilter image has been updated to always allow TCP traffic on ports 80 and 443. This adjustment ensures that, despite any broad blocking rules, essential web traffic remains uninterrupted. Please note that this change is currently applied only to the IPTables module; integration with NFTables is pending and will require further contributions.
OpenResty Integration: By leveraging the OpenResty nginx image, which includes integrated support for Lua and Redis, I've established a robust mechanism for dynamic response based on IP reputation. Specifically, the nginx
location / {}
directive now includes a Lua script to check against theF2B_ACTIVE_BANS
andF2B_PERM_BANS
in Redis. If an IP is found to be blacklisted, the user is redirected to a custom 403 page explaining the block.Future Enhancements: While the current implementation focuses on notifying users of a block, plans for future updates include the introduction of a self-service unban feature. This capability would allow users to resolve accidental bans autonomously, reducing administrative overhead and improving user experience.
Your feedback and contributions, especially regarding the integration with NFTables and the development of the self-service unban feature, are highly welcomed and appreciated.